>>> On 2/18/2008 at 2:35 PM, Satyam Mathura <[EMAIL PROTECTED]> wrote: > Hey guys, > i've got an interesting problem. We have a couple R65 firewalls in a back to > back configuration. Eg: > Internal_Net ->FW1->DMZ->FW2->External_Net > > I have a device on my internal network that needs to connect to servers on > the Internet and send data via TCP:10061. This worked for a few days and was > logged correctly by the firewall but then stopped mysteriously. I can > confirm that no network / firewall changes were made during this time. > SmartView Tracker will show no entries for this traffic and the destination > hosts can confirm that no data is being sent from us. > An fw monitor -e "accept src=<network device>;" will also show no results > for this traffic. However, a tcpdump on the entry and exit interfaces of > both firewalls shows traffic from the source device flowing through the > firewalls using the designated port and protocol. Additionally an fw tab -t > connections -u shows the connections for this device on both firewalls. > I have tried the obvious re-installation of policies, rebooting of > firewalls, clearing of the entries in the connections table for the src ip > of the network device. > My questions are: > 1) why would tcpdump show traffic, but fw monitor returns no results
It appears that "fw monitor" does not display packets for established TCP connections. I believe there is some sort of fast processing magic for established TCP that by passes a lot of the FW processing including the "fw monitor" hooks. That's my guess. I don't think I've seen this fully documented. But I've seen the same thing you describe in R65 SPlat. > 2) any idea why it would work for a couple days and then stop working > altogether. I'm thinking that is must have something to do with the TCP > session timeouts for this protocol or the type of connection that is > established from this network device. Lemme guess. This "device" is some funky little thing with some custom, quirky TCP/IP stack? Does it try to use the same source port for all of its connections? Yes? We've had this same problem with IP phones. Check Point has some "Smart Connection Re-use" features that don't play well with some funny TCP/IP stacks. BĀ¼information contained in this e-mail message is confidential, intended only for the use of the individual or entity named above. If the reader of this e-mail is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this e-mail in error, please contact [EMAIL PROTECTED] ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
